Access denied on system files

You have this computer with some Windows operating system client and everything works fine. Then you have some internal network or another reason to add a DNS name to the hosts file in %systemroot%system32driversetc.

No big deal you thought. Wrong! You have a major problems and you cannot find the problem and solution.

Unfortunately there is no single cause and quick solution for this problem; hence, we need to check a few things (step by step) until we have fixed this problem. So, make sure you read everything from top till buttom or until you get it to work.

Access denied

So, lets start. The first thing you encounter is the Access Denied message when you like to save the update in the file. Even worse you are not even allowed to temporarily save the file with another name in the same folder. Actually, you discover that you have neither change nor delete access to that folder at all.

Of course, you think about the Read-only thing which for some stupid reason responds with an Access Denied message. You check your hosts file properties, everything is fine. Next you look at your security settings for the file. You check the Administrators group and you check your membership, i.e. that you are indeed an Administrator. Everything is exactly as it should be. You even use the Effective Permissions to verify. All clear but still: You have no update priviledges to your folder and files.

Folder is Read Only

Somehow you wonder about inheritance and if something is wrong with the parent folders in your system32 tree. Although, if there were some funny security settings you should have seen them in the Security tab through inheritance. Nevertheless, you check and there in the properties window you see Read-only for the folder and the funny message only applies to files in folder. No wonder you think and you try unchecking that setting.

Once you hit OK next you see is some warning followed by some other message that administrative priviledges are required. You even get a button to proceed with such priviledges. Nothing really happens though and ultimately the Read-only setting is still there and access is still denied. Awesome!

Windows Explorer mishaps

Lets step back for a moment and talk about the Windows Explorer. The famous Explorer is probably not one of the worst applications in the world but close. I think Microsoft never really thought about completely overhauling or better yet write the application from scratch. Not to mention that it is still integrated and linked somehow with Internet Explorer and the whole host window, but that is another story.

The mishap here is that if something changes like a folder or a file, i.e. goes wrong with the file system, our dear Windows Explorer has no clue what is going on and in desperation it makes a wild guess. Actually not that wild, just two guesses.

Access denied is the preferred choice for a direct action (like open, save) on a object and Read-only in the properties window for an object. Object here means a file or a folder.

Simple as that: If Windows Explorer encounters a problem with an object its response is one of these two. If it is in fact Access denied it does not care, it does not know it cannot tell. Same with read-only in the properties window. Oh something is not as planned, lets mark it Read-only. Easy as pie!

Command line dir and attrib

We don't really need Windows Explorer to see things different and hopefully a little bit clearer. There is our command line program, cmd.exe. Unfortunately looking at the folder with dir and attrib does not show anything suspicious. Furthermore, attrib does not show any read-only marks, not even system attributes!

User Account Control (UAC)

I really lost contact, meaning indepth knowledge, with the latest versions of Windows but I have to use Vista and Windows 7. So, I am not sure what the exact levels and results are with User Account Control but this is where we will find our problem—if you have checked everything I mentioned before but you still have no access.

Microsoft introduced this concept, I believe, mostly or only for the dummy home user and the Home Editions. As if the security settings and other measures weren't enough. So, they came up with this User Account Control (UAC) that basically goes far above and beyond any security settings. Worst of all, it flies under the radar of most tools—yes including Windows Explorer. Nobody sees what is going on, everybody is blind.

Windows Explorer is totally oblivious to its existance as are all the command line tools. Well done!

UAC shields the operating systems and most of the files and folders from random changes. Don't get me wrong, I think this is not entirely a bad thing, but why create something new and not update the tools? All the pop ups and questions for every little change are the result of UAC. For executable files this seem to work fine however it does not go well if you access the files directly in the system folder.

Conclusion

If you have to make changes to the system folders directly you have to turn UAC completely off. UAC shields access beyond the current file level security.

Depending on your confidence level and what sort of programs you are likely to run and use on your computer you should set UAC back to the previous level.